Analysis Overview
SHA256
514e616e306a303bc6239c10b2b841466082130a9c0321f36c06df217c4ff9b2
Threat Level: Known bad
The file hueta.rar was found to be: Known bad.
Malicious Activity Summary
Detect ZGRat V1
Asyncrat family
Stealerium family
StormKitty payload
Stormkitty family
Zgrat family
Async RAT payload
.NET Reactor proctector
Enumerates physical storage devices
Unsigned PE
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-22 17:51
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Asyncrat family
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stealerium family
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stormkitty family
Zgrat family
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-22 17:50
Reported
2023-10-22 17:54
Platform
win10v2004-20231020-en
Max time kernel
140s
Max time network
152s
Command Line
Signatures
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\rar_auto_file | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\ | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\rar_auto_file\shell | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\rar_auto_file\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\"" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\.rar\ = "rar_auto_file" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\ò²…¿\ = "rar_auto_file" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\rar_auto_file\shell\open\command | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\æ½¤ç‘æ•²e⡢㳋䜀耀 | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\rar_auto_file\shell\open | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\.rar | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\æ½¤ç‘æ•²e⡢㳋䜀耀\ = "rar_auto_file" | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\hueta.rar
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\hueta.rar"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\hueta.rar
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2384.0.1185809954\1516661654" -parentBuildID 20221007134813 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {706f7960-85cd-4a6b-bf87-bb201195974e} 2384 "\\.\pipe\gecko-crash-server-pipe.2384" 1964 206c50f1558 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2384.1.76828398\233188087" -parentBuildID 20221007134813 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 21754 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c23ed37d-c473-405f-99fa-5ab50f06b563} 2384 "\\.\pipe\gecko-crash-server-pipe.2384" 2392 206c4ffa258 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2384.2.2029362598\1778945917" -childID 1 -isForBrowser -prefsHandle 3040 -prefMapHandle 3136 -prefsLen 21857 -prefMapSize 232675 -jsInitHandle 1364 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6be0a6c-9731-479e-bb66-b93e58f9b808} 2384 "\\.\pipe\gecko-crash-server-pipe.2384" 3252 206c5060d58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2384.3.845811072\657790399" -childID 2 -isForBrowser -prefsHandle 3600 -prefMapHandle 3596 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1364 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b30e7fc-ace4-440b-bb61-33eeeae21621} 2384 "\\.\pipe\gecko-crash-server-pipe.2384" 3608 206c7b20958 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2384.4.898543667\1954322151" -childID 3 -isForBrowser -prefsHandle 5228 -prefMapHandle 5224 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1364 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a804c14-6c45-4dcc-8f03-bc3647828249} 2384 "\\.\pipe\gecko-crash-server-pipe.2384" 5240 206c9374b58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2384.6.1892997959\1258275824" -childID 5 -isForBrowser -prefsHandle 5584 -prefMapHandle 5588 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1364 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae1ac808-bb65-4feb-b38f-89e7682d4e58} 2384 "\\.\pipe\gecko-crash-server-pipe.2384" 5576 206c9376958 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2384.5.221474337\1022228446" -childID 4 -isForBrowser -prefsHandle 5376 -prefMapHandle 5380 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1364 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c66a8b6-bb5a-4621-b271-af40c2e69472} 2384 "\\.\pipe\gecko-crash-server-pipe.2384" 5368 206c9375158 tab
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 34.117.237.239:443 | contile.services.mozilla.com | tcp |
| US | 35.84.103.12:443 | shavar.prod.mozaws.net | tcp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.117.65.55:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | 12.103.84.35.in-addr.arpa | udp |
| N/A | 127.0.0.1:64263 | tcp | |
| N/A | 127.0.0.1:64269 | tcp | |
| US | 8.8.8.8:53 | aus5.mozilla.org | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 35.244.181.201:443 | aus5.mozilla.org | tcp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | 201.181.244.35.in-addr.arpa | udp |
| US | 34.160.144.191:443 | prod.content-signature-chains.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| US | 2.18.121.73:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 216.58.208.110:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r5---sn-aigl6nl7.gvt1.com | udp |
| GB | 216.58.208.110:443 | redirector.gvt1.com | udp |
| GB | 173.194.183.202:443 | r5---sn-aigl6nl7.gvt1.com | tcp |
| US | 8.8.8.8:53 | r5.sn-aigl6nl7.gvt1.com | udp |
| US | 8.8.8.8:53 | r5.sn-aigl6nl7.gvt1.com | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.183.194.173.in-addr.arpa | udp |
| GB | 173.194.183.202:443 | r5.sn-aigl6nl7.gvt1.com | udp |
| NL | 104.110.240.192:80 | tcp | |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 53.121.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3tq1igo7.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | 9290c5b7942c1fe92810dcd337f8054e |
| SHA1 | d8a91a2c77740cdc236ebeedbe2d026b83ea01cf |
| SHA256 | 39c83bea36251f631a58cfe536ea9651cdcd993a621ca7a3368962e1b25d5c7d |
| SHA512 | 133f371fa38c3040ad97bea01ddda3fd7fe7bf17eb1c05e802f3ba3fe422f723f3f0c22a7eb577d8dcc148c060d32e1fc276b31faf6e38063cdffb518810c759 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\prefs.js
| MD5 | 5ee564859cd6fbe5400c8b3516ab77b2 |
| SHA1 | b6f8f7fcad47bd1bde95a7ace352af9766e21bde |
| SHA256 | 5e15d946cf2aecedc9bd63d24ac22318341ff7e65b6e84f720630e8b3445e337 |
| SHA512 | ece6acac89b01de9436e2fd4de2e1420372e549b607fa55670b315aada7847a977329d6df3785c2d99cd8144855811c93c9382e26a9826616f316b74389ea2ed |
C:\Users\Admin\Downloads\pw_ZvtEY.rar.part
| MD5 | 75a9789d86e1211a198b2caaeef87531 |
| SHA1 | fdadc1425e8ac1beda9f3b57a2ccd49d82c51b5c |
| SHA256 | 514e616e306a303bc6239c10b2b841466082130a9c0321f36c06df217c4ff9b2 |
| SHA512 | e01ea545574e8f8b6ae7588fecd640476a701dff98ca06ede3ad8a2d05bb5013a0c7fb677c12dbc218185ee66404e64aa30b0d4da043d0a4f7b9a3062457ce24 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 48fb7a64b9ad11a41b41367a3c793091 |
| SHA1 | 023d5a7bd341fa25923b11e5d1c568003abbdede |
| SHA256 | aa2dfd78cd7f5fb55a16d108e8cb915ca61b0ec42bdda4400adc2c7a31212da2 |
| SHA512 | 6cde521b56ca2f1f12fd12f172ed58ff0e513acedb687edbbaab40a53685b932b72ca93928aaebfc3067278671cbf0cdd4b4d085e53c34dee30ad178ea832eba |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\prefs-1.js
| MD5 | b0645b8b6bd129a18b78fa7aeae06305 |
| SHA1 | 7c834efb3ceabad144cd6c81d7b3da175c170c06 |
| SHA256 | 83ca1460c18dbf97775754d1d99b07db24ba64957ff50ec8af03c4b83f54f831 |
| SHA512 | a3e39dc979240cfbad1fe17a2cc750bb97d803af3963b95e8d5dad74cf7f4adcd67c5cea6186970f8e61c069cda59be5606e698654d6db0096d4db5d6f948acd |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | e9aa4960b74f95ca3ab49aaa406f196e |
| SHA1 | 9406b0a976e7e87b7258718aee51db4564d32098 |
| SHA256 | 6992eb88aa7ef10695d42f6d37128d49d1cec974eaa103c36c049b50992fbc26 |
| SHA512 | 4c230bee164bf4b2229bc2946a12536a3672ccf24bf344faaf7b0bbe08485a26294dfae6efbe4afdb5823eac65c78ae7cc537cd2af1b7361d09f14a1d464fedd |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 85430baed3398695717b0263807cf97c |
| SHA1 | fffbee923cea216f50fce5d54219a188a5100f41 |
| SHA256 | a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e |
| SHA512 | 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\prefs-1.js
| MD5 | 0fe09a1e3dc1a0aceb7b50f96b3e81e0 |
| SHA1 | fa2ac8366fdb79ea5fb989f7cf5bb20c7813267d |
| SHA256 | 6bb981aea2af5159167493ab59dee98774c6f3494284404bf804ddf713ffdb03 |
| SHA512 | 48f53c63a8cd593e805dae4a0f9802b1fb95a3b7547c1cc5cce71f206629f4d8cad93001af363513bc6641d6af4c8c6b6e47c4a2be62d0fb5617b306d30b4a0b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
| MD5 | fe3355639648c417e8307c6d051e3e37 |
| SHA1 | f54602d4b4778da21bc97c7238fc66aa68c8ee34 |
| SHA256 | 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e |
| SHA512 | 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
| MD5 | 3d33cdc0b3d281e67dd52e14435dd04f |
| SHA1 | 4db88689282fd4f9e9e6ab95fcbb23df6e6485db |
| SHA256 | f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b |
| SHA512 | a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3tq1igo7.default-release\cache2\entries\51D52D298316CD3F9A90A40E946BB34EFA1BFB72
| MD5 | 360693591c9d0f2d4ae509af29355364 |
| SHA1 | 9692575980db3ee84ecfdc2258fe684a84020b47 |
| SHA256 | c622aba06b81d61e7b0eaa279947be954c6f1f1d25f61ac592d9fd0b4f9057ac |
| SHA512 | 6b336479a7a0cf873f78ee93b7a878f0e207f03010a94fdcf189158e75aeecd498b3e979d5a341c8cce34884f65a0973fb39676136cdbdf0bced68ddd7d4760d |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | a01c5ecd6108350ae23d2cddf0e77c17 |
| SHA1 | c6ac28a2cd979f1f9a75d56271821d5ff665e2b6 |
| SHA256 | 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42 |
| SHA512 | b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
| MD5 | 8be33af717bb1b67fbd61c3f4b807e9e |
| SHA1 | 7cf17656d174d951957ff36810e874a134dd49e0 |
| SHA256 | e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd |
| SHA512 | 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
| MD5 | 49ddb419d96dceb9069018535fb2e2fc |
| SHA1 | 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6 |
| SHA256 | 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539 |
| SHA512 | 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
| MD5 | 33bf7b0439480effb9fb212efce87b13 |
| SHA1 | cee50f2745edc6dc291887b6075ca64d716f495a |
| SHA256 | 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e |
| SHA512 | d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
| MD5 | 688bed3676d2104e7f17ae1cd2c59404 |
| SHA1 | 952b2cdf783ac72fcb98338723e9afd38d47ad8e |
| SHA256 | 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237 |
| SHA512 | 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
| MD5 | 937326fead5fd401f6cca9118bd9ade9 |
| SHA1 | 4526a57d4ae14ed29b37632c72aef3c408189d91 |
| SHA256 | 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81 |
| SHA512 | b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3tq1igo7.default-release\cache2\entries\180089313729568CF6D0CAF9991F0FA4115478F0
| MD5 | 9067380d90696cf7d9ff30791e51003f |
| SHA1 | 86b6cd1fdffe8a38c5c82ced2f4b4838f8bfaab7 |
| SHA256 | 4426d231aadf7155612e18a3910452b32c649c5f68f4f103cc7845b12faee3c2 |
| SHA512 | 51faae7e323aef26cd65304315f345ff5e3083d34b39f0e5fda3c7a91a3716471359cc8c95d3c7f45e43eb3b68c2635f4b8a9918edfe638e31f8ee741db8b305 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3tq1igo7.default-release\prefs-1.js
| MD5 | 29a8c043cc9f5eb3f1d2ff0e3409f1c4 |
| SHA1 | 53833179366c173844d9f4a899fc0cd64facadae |
| SHA256 | 0e0000dd96a7458417b2f6cf6efe2cd0e6fb45facc2990408c57c9547006541a |
| SHA512 | 8d46339db67fd6299a74dc4cb6090acab0ba495c3150ccad8fcd0a7021c6ce53d3e4d8e6f393933c9999fd7ac09384c004d0e6249029252a266d61bbd9479b7b |